Skip to content

Instantly share code, notes, and snippets.

View regit's full-sized avatar

Eric Leblond regit

184 followers · 29 following
View GitHub Profile
@regit
regit / gist:3263cf673cbffbf7bbb58c009fd5d93d
Created June 28, 2022 12:26
JQ command to extract domain, authenticated user, associated IPs from Suricata logs
cat eve.json | jq -r 'select(.event_type=="smb" and .smb.ntlmssp.user and .smb.ntlmssp.user!="" and .smb.status_code=="0x0" and .smb.ntlmssp.host!=.smb.ntlmssp.domain)| [ .smb.ntlmssp.domain, .smb.ntlmssp.user, .src_ip ] | @csv' | sort | uniq >users.csv